Psykoterapiakeskus Vastaamo Oy – €608,000 Fine (Finland, 2021)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
Vastaamo Oy, a psychotherapy firm, was fined €608,000 for failing to protect patient records and delaying breach notifications. Hackers accessed their database, and the firm only reported the breach after being blackmailed. This incident stresses the importance of data security and timely communication with affected individuals.
What happened
Vastaamo Oy was fined for inadequate data protection and delayed reporting of breaches after hackers accessed patient records.
Who was affected
Patients of Vastaamo Oy were affected, with some being blackmailed after their sensitive data was leaked.
What the authority found
The Finnish DPA found that Vastaamo Oy failed to secure patient data and delayed notifying both the authority and affected individuals about the breaches.
Why this matters
This case serves as a stark reminder for businesses to prioritize data security and ensure timely breach notifications. It illustrates the severe consequences of failing to protect sensitive information.
GDPR Articles Cited
View original scraped data
Original data from scraper before AI verification against source document.
The psychotherapy firm 'Vastaamo Oy's' (hereafter, the Firm) experienced two data breaches in November 2018 and March 2019, where its patient records were hacked by a third party (the attacker). During an investigation conducted by the Finnish DPA, it was found that the Firm had become aware of (at least) the latter data breach at the time it happened. The breaches were not reported to the Finnish DPA until late September 2020, shortly after the Firm had been subject to blackmail by the attacker. The following months, at least 15,000 patients were also blackmailed. In particular, the attacker tried to obtain monetary advantages from them by threatening to publish their personal patients records, and around 300 records were actually leaked online on the Tor network. Following this affair, the Firm suffered financially and was ultimately declared bankrupt by the District Court of Helsinki in February 2021. The Finnish DPA found that the firm had violated Articles 33(1) GDPR (notification of data breaches to the DPA) and Article 34(1) GDPR (communication of data breaches to data subjects) for having failed to report in due time the data breaches to the Finnish DPA and to the data subjects, respectively. Furthermore, the Finnish DPA found that Article 5(1)(f) GDPR had been violated because the Firm had failed to implement appropriate security measures to ensure the integrity and confidentiality of the personal data. The Finnish DPA also considered that the Firm had violated its security obligations under Articles 24(1), 25(1), 32(1) and 32(2) GDPR. Finally, the Finnish DPA considered that the firm had failed to respect the principle of accountability enshrined in Article 5(2) GDPR, as it could not demonstrate compliance with the core principles of the GDPR. The Sanctions Board of the Finnish DPA decided to impose a fine of €145,600 for infringement of Article 33(1) GDPR, a fine of €145,600 for infringement of Article 34(1) GDPR, and a fine of €316,800 for infringement
Related Enforcement Actions (0)
No other enforcement actions found for Psykoterapiakeskus Vastaamo Oy in FI
This is the only recorded action for this entity in this jurisdiction.
Details
About this data
Cite as: Cookie Fines. Psykoterapiakeskus Vastaamo Oy - Finland (2021). Retrieved from cookiefines.eu
Last updated: